These are the updates we have made since the draft release in November, following continuing discussions with security experts in Microsoft, the Center for Internet Security, and customers:

Enabled « Turn off Microsoft consumer experiences, » which is a new setting as of version 1511.

Removed configuration of « Allow unicast response » from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule.

Removed the restrictions on the number of cached logons. Cached logon verifiers are difficult to break, particularly on Windows Vista and newer. (The DISA STIG has also removed this restriction.)

Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies, and can highlight the differences between versions or sets of Group Policies. It can also compare GPOs against current local policy settings and against local registry settings. And you can export its findings to a Microsoft Excel spreadsheet.

Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. It also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.